ffraenz / private-composer-installer

Composer install helper outsourcing sensitive keys from the package URL into environment variables
MIT License
227 stars 16 forks source link

Side effect free env variables #12

Closed GrahamCampbell closed 5 years ago

ffraenz commented 5 years ago

Could you elaborate on what env side effects you are trying to remove?

Environment variables may be set without a .env file (e.g. web server / Docker config). Thus the .env file should only be loaded as soon as the first env variable can't be found for a given key.

GrahamCampbell commented 5 years ago

The problem is that loading the env file then loads your secrets for the entire process to see. This could be a problem if composer is being run within a larger app or long running process, instead of via the cli command.

GrahamCampbell commented 5 years ago

This change means that the dotenv file is not actually loaded into your environment, and its contents are only locally seen by this plugin.

ffraenz commented 5 years ago

I see, thank's for the explanation. Would you give me push access to the PR to make additions?

GrahamCampbell commented 5 years ago

You should already have access to the branch. I never disabled it.

coveralls commented 5 years ago

Pull Request Test Coverage Report for Build 30


Totals Coverage Status
Change from base Build 26: 0.0%
Covered Lines: 72
Relevant Lines: 72

💛 - Coveralls
GrahamCampbell commented 5 years ago

This looks much better now.

ffraenz commented 5 years ago

@GrahamCampbell Thank's again for the heads-up! I published the changes in a new major release.